Patrick's Rants

Tell me something I didn’t know. I occasionally do a search engine lookup for my pet project, Free Realty just to see how I’m faring in the search engine world. Most of the time I find inocuous mentions and if I’m lucky I have the top ranked link. Well, not on June 21, 2006. On that day I found that a 14 year old “security tester” ran a script or something against my demo site finding that one variable didn’t get properly tested before being passed to the database. According to “r0t“, “This can be exploited to manipulate SQL queries.” He then claims that there is a Cross Site Scripting (XSS) vulnerability – though he doesn’t show how that can be exploited. He goes on to state that certain versions of the package reveal information about the server. Whether the server shows installation paths or not – which is what he’s writing about – depends upon the server configuration, not the web pages on it.

So how it comes down is there is some kid trying to make a name for himself running whatever scripts against web sites. He claims that he doesn’t bother contacting the author because one didn’t email him or fix their program. So there isn’t any reason for courtesy I guess. I did fix the flaw, plus a couple of others that he didn’t find in his haste to post about this one, and I managed to do it within 24 hours of me finding the flaw listed on his site. I do notice that that other similar package hasn’t been fixed. I guess they don’t have as big an ego as I do

What originally set me off was an article on secureworks.com. Ah well. I guess he’s doing what he thinks is “right”, but I’m not impressed with his “ski11z”. I would have been far more impressed with an email.